The mystery behind the samples of the new REvil ransomware operation

The REvil ransomware gang has resumed its operations, experts found a new encryptor and a new attack infrastructure.

The REvil ransomware operation shut down in October 2021, in January the Russian Federal Security Service (FSB) announced to have shut down the REvil ransomware gang, the group that is behind a long string of attacks against large organizations, such as Kaseya and JBS USA. The FSB claims to have identified all members of the REvil gang and monitored their operations. The police operation was conducted by Russian authorities following a request by the United States that shared info about members of the gang.

The Russian police arrested 14 alleged members of the ransomware gang and raided 25 addresses seizing computer equipment and cryptocurrency wallets. The raids took place in Moscow, St. Petersburg, Leningrad, and Lipetsk regions.

The beginning of the invasion of Ukraine by Russia and the tensions with the NATO alliance supporting Kyiv has brought about some disturbing changes in the threat landscape.

A few weeks later, the REvil Tor infrastructure was up again, but it was redirecting visitors to a new leak site showing a list of new compromised organizations along with past victims of the ransomware gang.

The Tor site was also defaced by threat actors and some experts speculate it was temporarily operated by feds as part of a crime investigation.

Last week, the malware researcher Jakub Kroustek from AVAST, discovered a sample of a new REvil encryptor. The expert noticed that the sample does not encrypt files, it only adds a random extension to the victim’s files.

A few hours ago, we blocked a #ransomware sample in-the-wild that looks like a new #Sodinokibi / #REvil variant. Timestamp 2022-04-27, new config, new mutex, campaign ID, etc. Funny thing… it does not encrypt files; only adds a random extension 42 BTC https://t.co/UL1ECGLpmg pic.twitter.com/A8p5SLjcZr— Jakub Kroustek (@JakubKroustek) April 29, 2022According to BleepingComputer, multiple malware researchers discovered new REvil samples that have been compiled from the original source code, but that implements new changes.

Tweets by WhichbufferArda
Raw config for the REvil ransommware reborn:https://t.co/4oqz4spsc0 https://t.co/Jbt2r0f7Ru— Vitali Kremez (@VK_Intel) May 2, 2022BleepingComputer correctly pointed out that the public return of REvil operation is suspicious.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERSVote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

The post The mystery behind the samples of the new REvil ransomware operation appeared first on Security Affairs.